2014-09-29 18:35 GMT+02:00 John Jones <[email protected]>:
> Well, I was mistaken.
> I still have messages from http in /var/log/syslog of this nature:
> Sep 29 08:51:11 web error: [Mon Sep 29 08:51:05 2014] [error] [client
> 184.73.207.18] client denied by server configuration:
> /var/www/cirrhus9/wp-admin/admin-ajax.php
> Sep 29 08:51:11 web error: [Mon Sep 29 08:51:05 2014] [error] [client
> 69.46.36.8] client denied by server configuration:
> /var/www/cirrhus9/wp-admin/admin-ajax.php
>
> wp-login.php is restricted in apache_site.conf and I'm not convinced that
> has anything to do with anything rsyslog-related, but I could be wrong.
> my /etc/rsyslog.d/10-watchfile.conf *was* named
> /etc/ryslog.d/watchfile.conf and this sent duplicates and triplicates to
> /var/log/syslog
> up until I moved it to 10-watchfile.conf, they all but stopped except for
> those shown above.
>
>
At least I overlooked this posting, sorry.
In rsyslog, everything happens in the order in which statements are given.
So I assume that those files you mention are written BEFORE
10-watchfile.conf is being processed.
I suggest simply copy&pasting the contents of 10-watchfile.conf right to
the top of rsyslog.conf. That way, we know exactly when it is executed and
that removes all doubt about other parts of the system configuration. If it
then works, and you would like the commands in a separate file, you can
begin to hunt down where the other config statements are given and bring
them into the right order.
Rainer
Thank you for your valuable time.
>
> John Jones
> Cirrhus9.com
>
>
> On 09/25/2014 06:24 PM, John Jones wrote:
>
>> All fixed on rsyslogd 7.6.5
>>
>> There's something to be said about 'defaults' (with /slight/
>> modifications)
>>
>> Thank you David and Ranier!
>> John Jones
>> Cirrhus9.com
>> On 09/25/2014 04:35 PM, David Lang wrote:
>>
>>> On Thu, 25 Sep 2014, John Jones wrote:
>>>
>>> Hello to the list:
>>>>
>>>> I have a remote host sending apache_{error,access}.log files to the
>>>> rsyslog-server, and that's all fine and good.
>>>> What I'm having trouble with is that the apache traffic is sending the
>>>> same traffic to /var/log/messages.
>>>>
>>>> I suspect it's the /etc/rsyslog.d/watchfile.conf that I created, and
>>>> here are the contents:
>>>> $ModLoad imfile
>>>> # apache error.log
>>>> $InputFileName /var/log/apache2/error.log
>>>> $InputFileTag error:
>>>> $InputFileStateFile state_file_error_apache
>>>> $InputFileFacility local6
>>>> $InputRunFileMonitor
>>>> $InputFilePollInterval 10
>>>>
>>>> # apache access.log
>>>> $InputFileName /var/log/apache2/access.log
>>>> $InputFileTag access:
>>>> $InputFileStateFile state_file_access_apache
>>>> $InputFileFacility local6
>>>> $InputRunFileMonitor
>>>> $InputFilePollInterval 10
>>>>
>>>> if $programname == 'access' then @rsyslog-server:514
>>>> & ~
>>>> if $programname == 'errors' then @rsyslog-server:514
>>>> & ~
>>>>
>>>
>>> on the ancient 3.x series, this is a very ineffient way of testing for
>>> this.
>>>
>>> log a few messages with the format RSYSLOG_DebugFormat so that you can
>>> see what the various variables actually contain and it will probably solve
>>> your problem.
>>>
>>> The rsyslogd version on this host (from stock CentOS 5.10 repo) is:
>>>> rsyslogd 3.22.1, compiled with:
>>>> FEATURE_REGEXP: Yes
>>>> FEATURE_LARGEFILE: Yes
>>>> FEATURE_NETZIP (message compression): Yes
>>>> GSSAPI Kerberos 5 support: Yes
>>>> FEATURE_DEBUG (debug build, slow code): No
>>>> Atomic operations supported: Yes
>>>> Runtime Instrumentation (slow code): No
>>>>
>>>>
>>>> I changed InputFileFacility to local6 after reading this <
>>>> http://kb.monitorware.com/rsyslog-message-duplicates-
>>>> t12273.html?hilit=duplicates&sid=9666af8003d631d35d5603149b6d54
>>>> fb#p24305> - no change.
>>>> I added $InputFileFacility local6 to the watchfile after reviewing
>>>> http://kb.monitorware.com/rsyslog-message-duplicates-
>>>> t12273.html?hilit=duplicates#p24303
>>>> but it's not known to me if I have to do that for each watched file?
>>>>
>>>
>>> yes you would, and you probably want to five them different facilities.
>>>
>>>
>>>> The /etc/rsyslog.conf on this host seems sparse with:
>>>> $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
>>>> $ModLoad imklog
>>>> $ModLoad imuxsock
>>>> *.info;mail.none;authpriv.none;cron.none /var/log/messages
>>>> authpriv.* /var/log/secure
>>>> mail.* -/var/log/maillog
>>>> cron.* /var/log/cron
>>>> *.emerg *
>>>> uucp,news.crit /var/log/spooler
>>>> local7.* /var/log/boot.log
>>>> *.* @rsyslog-server::514
>>>>
>>>> It is not clear to me if this is the|an issue.
>>>>
>>>> I tried variations on
>>>> local6.=info /var/log/apache2/error.log
>>>> & ~
>>>> local6.=error /var/log/apache2/access.log
>>>> & ~
>>>> in the watchfile.conf but it didn't correct the problem.
>>>>
>>>
>>> this won't work because you are not setting the severity (I don't
>>> remember what it defaults to, but =info and =error are probably wrong)
>>>
>>> try local6.*
>>>
>>> David Lang
>>>
>>> I do see "{host} access" and "{host} error" in the /var/log/messages
>>>> so I suspect it's a trivial matter.
>>>>
>>>> Examined references are
>>>> http://kb.monitorware.com/post24302....licates#p24302 <
>>>> http://kb.monitorware.com/post24302.html?hilit=duplicates#p24302>
>>>> https://access.redhat.com/discussions/650853
>>>> and several dozen search-engine results.
>>>>
>>>> Anything I try just seems to make it messier.
>>>> Can some one help this new rsyslog user out?
>>>>
>>>> Thank you for your time.
>>>>
>>>>
>>>> _______________________________________________
>>> rsyslog mailing list
>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>> http://www.rsyslog.com/professional-services/
>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>>> DON'T LIKE THAT.
>>>
>>
>>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
